In news:%23wkENG7aFHA.3840@tk2msftngp13.phx.gbl,
David H. Lipman <DLipman~nospam~@Verizon.Net> had this to say:

My reply is at the bottom of your sent message:

> Hi Malke:
>
> I have a NEW utility. It combines; Trend Sysclean, the McAfee
> Command Line Scanner and the Sophos Command Line Scanner all in one
> menu driven utility.
>
> http://www.ik-cs.com/programs/virtools/Multi_AV.exe
>
> After tou execute and extract the files, look at the PDF help file.
> "C:\AV-CLS\Multi AV Command Line Scanner.PDF"
>
> Let me know what you think and how it can be improved.

Dave,

I'm not Malke (you knew that though) but would you mind if I play with that?
I enjoyed your last malware removal process a great deal. (Thread long since
cycled out of the NGs I'm sure.) And, would you want additional traffic (if
it works out that way) from here:

If so where would you like me to link them? (You can reply off-list if you
want.)

Galen
--

"And that recommendation, with the exaggerated estimate of my ability
with which he prefaced it, was, if you will believe me, Watson, the
very first thing which ever made me feel that a profession might be
made out of what had up to that time been the merest hobby."

Sherlock Holmes

David H. Lipman

07-09-2005, 11:49 PM

From: "Galen" <galennews@gmail.com>

|
| Dave,
|
| I'm not Malke (you knew that though) but would you mind if I play with that?
| I enjoyed your last malware removal process a great deal. (Thread long since
| cycled out of the NGs I'm sure.) And, would you want additional traffic (if
| it works out that way) from here:
|
| Malware Cleaning :
| http://www.kgiii.info/windows/all/general/malwarefix.html
|
| If so where would you like me to link them? (You can reply off-list if you
| want.)
|
| Galen
| --
|
| "And that recommendation, with the exaggerated estimate of my ability
| with which he prefaced it, was, if you will believe me, Watson, the
| very first thing which ever made me feel that a profession might be
| made out of what had up to that time been the merest hobby."
|
| Sherlock Holmes
|

Galen:

Please go right ahead and "kick the tires" and take it for a road test.

--
The people think the Constitution protects their rights;
But government sees it as an obstacle to be overcome.
some support
http://www.usdoj.gov/olc/secondamendment2.htm

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
message news:%23wkENG7aFHA.3840@tk2msftngp13.phx.gbl...
| Hi Malke:
|
| I have a NEW utility. It combines; Trend Sysclean, the
McAfee Command Line Scanner and the
| Sophos Command Line Scanner all in one menu driven
utility.
|
| http://www.ik-cs.com/programs/virtools/Multi_AV.exe
|
| After tou execute and extract the files, look at the PDF
help file.
| "C:\AV-CLS\Multi AV Command Line Scanner.PDF"
|
| Let me know what you think and how it can be improved.
|
| --
| Dave
| http://www.claymania.com/removal-trojan-adware.html
| http://www.ik-cs.com/got-a-virus.htm
|
|

David H. Lipman

07-09-2005, 11:49 PM

From: "Jim Macklin" <p51mustang[threeX12]@xxxhotmail.calm>

| Did those companies license you to use them?
|
| --
| The people think the Constitution protects their rights;
| But government sees it as an obstacle to be overcome.
| some support
| http://www.usdoj.gov/olc/secondamendment2.htm

> Hi Malke:
>
> I have a NEW utility. It combines; Trend Sysclean, the McAfee
> Command Line Scanner and the Sophos Command Line Scanner all in one
> menu driven utility.
>
> http://www.ik-cs.com/programs/virtools/Multi_AV.exe
>
> After tou execute and extract the files, look at the PDF help file.
> "C:\AV-CLS\Multi AV Command Line Scanner.PDF"
>
> Let me know what you think and how it can be improved.
>
Hi, Dave. I've downloaded it and promise to extract it and play with it
tomorrow. It's 7:34 PM here in California and I'm tired from cleaning
up clients' machines all day.* I'll fire up a Windows machine first
thing in the AM and report back. You are so clever to be able to write
these programs - thank you for all your hard work.

*(One lady had over 30,000 files infected with Sasser.B among other cr*p
- her av hadn't been updated in 3 years! Amazingly, XP Pro didn't need
a reinstall and everything is working beautifully now.)

David H. Lipman wrote:
> Hi Malke:
>
> I have a NEW utility. It combines; Trend Sysclean, the McAfee Command Line Scanner and the
> Sophos Command Line Scanner all in one menu driven utility.
>
> http://www.ik-cs.com/programs/virtools/Multi_AV.exe
>
> After tou execute and extract the files, look at the PDF help file.
> "C:\AV-CLS\Multi AV Command Line Scanner.PDF"
>
> Let me know what you think and how it can be improved.
>

Good job David-
Have tried it on win2000pro(NTFS) will try it later on XPpro and 98se.
Will add a link to it on my pages soon.
-max
--
Virus Removal Instructions: http://home.neo.rr.com/manna4u/
You can find my e-mail address on my pages.

roberto

07-09-2005, 11:49 PM

i think u should do one thing!!! Call Guinnes to inscribe that PC!!! Thats a
record!!! 3 years and still alive????

Simply...no words!! I can't beleive it!!

"Malke" <invalid@not-real.com> escribió en el mensaje
news:OLV8YM9aFHA.796@TK2MSFTNGP09.phx.gbl...
> David H. Lipman wrote:
>
> > Hi Malke:
> >
> > I have a NEW utility. It combines; Trend Sysclean, the McAfee
> > Command Line Scanner and the Sophos Command Line Scanner all in one
> > menu driven utility.
> >
> > http://www.ik-cs.com/programs/virtools/Multi_AV.exe
> >
> > After tou execute and extract the files, look at the PDF help file.
> > "C:\AV-CLS\Multi AV Command Line Scanner.PDF"
> >
> > Let me know what you think and how it can be improved.
> >
> Hi, Dave. I've downloaded it and promise to extract it and play with it
> tomorrow. It's 7:34 PM here in California and I'm tired from cleaning
> up clients' machines all day.* I'll fire up a Windows machine first
> thing in the AM and report back. You are so clever to be able to write
> these programs - thank you for all your hard work.
>
> *(One lady had over 30,000 files infected with Sasser.B among other cr*p
> - her av hadn't been updated in 3 years! Amazingly, XP Pro didn't need
> a reinstall and everything is working beautifully now.)
>
> Talk to you later,
>
> Malke
> --
> Elephant Boy Computers
> www.elephantboycomputers.com
> "Don't Panic!"
> MS-MVP Windows - Shell/User

Zvi Netiv

07-09-2005, 11:49 PM

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote:

> Hi Malke:

Would you mind for others' comments? ;-)

> I have a NEW utility. It combines; Trend Sysclean, the McAfee Command Line Scanner and the
> Sophos Command Line Scanner all in one menu driven utility.
>
> http://www.ik-cs.com/programs/virtools/Multi_AV.exe
>
> After tou execute and extract the files, look at the PDF help file.
> "C:\AV-CLS\Multi AV Command Line Scanner.PDF"
>
> Let me know what you think and how it can be improved.

Nice!

A couple of comments, to consider for further versions:

I personally hold that cleaning under Windows should be conducted from self
boot, from the installed OS. Yet since you mention the option of clean booting
for Win 9x/Me, by aid of boot disk made from www.bootdisk.com, then be aware
that there exists a free (for private use) bootdisk to NTFS from DOS, with full
read-write access, from http://www.datapol-technologies.com/dpe/recovery/ntfs/

In your instructions (PDF file), I would recommend that anything you suggest
running from safe mode, be run from safe mode WITH COMMAND PROMPT instead.
The reason is that many malware load by injecting through Explorer, that loads
in safe mode just as well. You have my permission to include the ToggleMode
utility in your package, if required. You may need it to start Win 9x/Me in
safe mode with command prompt (a mode they lack inherently). From
www.invircible.com/item/80

| "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote:
|
>> Hi Malke:
|
| Would you mind for others' comments? ;-)
|
>> I have a NEW utility. It combines; Trend Sysclean, the McAfee Command Line Scanner and
>> the Sophos Command Line Scanner all in one menu driven utility.
>>
>> http://www.ik-cs.com/programs/virtools/Multi_AV.exe
>>
>> After tou execute and extract the files, look at the PDF help file.
>> "C:\AV-CLS\Multi AV Command Line Scanner.PDF"
>>
>> Let me know what you think and how it can be improved.
|
| Nice!
|
| A couple of comments, to consider for further versions:
|
| I personally hold that cleaning under Windows should be conducted from self
| boot, from the installed OS. Yet since you mention the option of clean booting
| for Win 9x/Me, by aid of boot disk made from www.bootdisk.com, then be aware
| that there exists a free (for private use) bootdisk to NTFS from DOS, with full
| read-write access, from http://www.datapol-technologies.com/dpe/recovery/ntfs/
|
| In your instructions (PDF file), I would recommend that anything you suggest
| running from safe mode, be run from safe mode WITH COMMAND PROMPT instead.
| The reason is that many malware load by injecting through Explorer, that loads
| in safe mode just as well. You have my permission to include the ToggleMode
| utility in your package, if required. You may need it to start Win 9x/Me in
| safe mode with command prompt (a mode they lack inherently). From
| www.invircible.com/item/80
|
| Regards, Zvi
| --
| NetZ Computing Ltd. ISRAEL www.invircible.com www.ivi.co.il (Hebrew)
| InVircible Virus Defense Solutions, ResQ and Data Recovery Utilities

Hi Zvi:

I relish your comments. Thanx !
I'll look into those ideas you have provided.

You mentioned -- "...malware load by injecting through Explorer..." The script will look at
the "shell=explorer.exe" directive of the Registry in NT and in SYSTEM.INI in Win9x/ME. If
there is malware being chained off of explorer such as...
shell=exlorer.exe malware.exe
When you run the script in Normal Mode to update the Command Line Scanner (CLS), it will
properly set the shell= directives back to "shell=explorer.exe" and should not load the
malware again when rebooted into Safe Mode.

> >> I have a NEW utility. It combines; Trend Sysclean, the McAfee Command Line Scanner and
> >> the Sophos Command Line Scanner all in one menu driven utility.
> >>
> >> http://www.ik-cs.com/programs/virtools/Multi_AV.exe
> >>
> >> After tou execute and extract the files, look at the PDF help file.
> >> "C:\AV-CLS\Multi AV Command Line Scanner.PDF"
> >>
> >> Let me know what you think and how it can be improved.
> |
> | Nice!
> |
> | A couple of comments, to consider for further versions:
> |
> | I personally hold that cleaning under Windows should be conducted from self
> | boot, from the installed OS. Yet since you mention the option of clean booting
> | for Win 9x/Me, by aid of boot disk made from www.bootdisk.com, then be aware
> | that there exists a free (for private use) bootdisk to NTFS from DOS, with full
> | read-write access, from http://www.datapol-technologies.com/dpe/recovery/ntfs/
> |
> | In your instructions (PDF file), I would recommend that anything you suggest
> | running from safe mode, be run from safe mode WITH COMMAND PROMPT instead.
> | The reason is that many malware load by injecting through Explorer, that loads
> | in safe mode just as well. You have my permission to include the ToggleMode
> | utility in your package, if required. You may need it to start Win 9x/Me in
> | safe mode with command prompt (a mode they lack inherently). From
> | www.invircible.com/item/80

> You mentioned -- "...malware load by injecting through Explorer..." The script will look at
> the "shell=explorer.exe" directive of the Registry in NT and in SYSTEM.INI in Win9x/ME. If
> there is malware being chained off of explorer such as...
> shell=exlorer.exe malware.exe
> When you run the script in Normal Mode to update the Command Line Scanner (CLS), it will
> properly set the shell= directives back to "shell=explorer.exe" and should not load the
> malware again when rebooted into Safe Mode.

Chaining commands is one way to inject malware through Explorer. There are
other ways too which cannot be monitored as simply, like the insertion in the
startup queue. Such applications will only initialize after Explorer, which is
one of the reasons for which you are better of in safe mode with command prompt.

I don't remember right now which malware didn't clean properly in safe mode, but
I can tell that I saw a few during the last three years.

The only drawback of cleaning in safe mode with command prompt is that it
requires some mastering of the command line.

Zvi Netiv wrote:
> "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote:
>
>
>>Hi Malke:
>
>
> Would you mind for others' comments? ;-)
>
>
>>I have a NEW utility. It combines; Trend Sysclean, the McAfee Command Line Scanner and the
>>Sophos Command Line Scanner all in one menu driven utility.
>>
>>http://www.ik-cs.com/programs/virtools/Multi_AV.exe
>>
>>After tou execute and extract the files, look at the PDF help file.
>>"C:\AV-CLS\Multi AV Command Line Scanner.PDF"
>>
>>Let me know what you think and how it can be improved.
>
>
> Nice!
>
> A couple of comments, to consider for further versions:
>
> I personally hold that cleaning under Windows should be conducted from self
> boot, from the installed OS. Yet since you mention the option of clean booting
> for Win 9x/Me, by aid of boot disk made from www.bootdisk.com, then be aware
> that there exists a free (for private use) bootdisk to NTFS from DOS, with full
> read-write access, from http://www.datapol-technologies.com/dpe/recovery/ntfs/
>
> In your instructions (PDF file), I would recommend that anything you suggest
> running from safe mode, be run from safe mode WITH COMMAND PROMPT instead.
> The reason is that many malware load by injecting through Explorer, that loads
> in safe mode just as well. You have my permission to include the ToggleMode
> utility in your package, if required. You may need it to start Win 9x/Me in
> safe mode with command prompt (a mode they lack inherently). From
> www.invircible.com/item/80
>
> Regards, Zvi
> --
> NetZ Computing Ltd. ISRAEL www.invircible.com www.ivi.co.il (Hebrew)
> InVircible Virus Defense Solutions, ResQ and Data Recovery Utilities

Zvi-
Thank you for posting the link to NTFS read/write for DOS. I had a
link before but lost it.
-max
--
Virus Removal Instructions: http://home.neo.rr.com/manna4u/
You can find my e-mail address on my pages.

Bigbruva

07-09-2005, 11:49 PM

Nice job David!
I have a few machines that I will be working on over the weekend so I'll let
you know how your latest tool works out.

BB

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:u6zoRS7aFHA.3280@TK2MSFTNGP12.phx.gbl...
> From: "Galen" <galennews@gmail.com>
>
>
> |
> | Dave,
> |
> | I'm not Malke (you knew that though) but would you mind if I play with
> that?
> | I enjoyed your last malware removal process a great deal. (Thread long
> since
> | cycled out of the NGs I'm sure.) And, would you want additional traffic
> (if
> | it works out that way) from here:
> |
> | Malware Cleaning :
> | http://www.kgiii.info/windows/all/general/malwarefix.html
> |
> | If so where would you like me to link them? (You can reply off-list if
> you
> | want.)
> |
> | Galen
> | --
> |
> | "And that recommendation, with the exaggerated estimate of my ability
> | with which he prefaced it, was, if you will believe me, Watson, the
> | very first thing which ever made me feel that a profession might be
> | made out of what had up to that time been the merest hobby."
> |
> | Sherlock Holmes
> |
>
> Galen:
>
> Please go right ahead and "kick the tires" and take it for a road test.
>
> And yes, you can link to them. ;-)
>
> I eagerly await your findings...and feedback.
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>

Malke

07-09-2005, 11:49 PM

What's in a Name? wrote:

> Zvi Netiv wrote:
>> "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote:
>>
>>
>>>Hi Malke:
>>
>>
>> Would you mind for others' comments? ;-)
>>
>>
>>>I have a NEW utility. It combines; Trend Sysclean, the McAfee
>>>Command Line Scanner and the Sophos Command Line Scanner all in one
>>>menu driven utility.
>>>
>>>http://www.ik-cs.com/programs/virtools/Multi_AV.exe
>>>
>>>After tou execute and extract the files, look at the PDF help file.
>>>"C:\AV-CLS\Multi AV Command Line Scanner.PDF"
>>>
>>>Let me know what you think and how it can be improved.
>>
>>
>> Nice!
>>
>> A couple of comments, to consider for further versions:
>>
>> I personally hold that cleaning under Windows should be conducted
>> from self
>> boot, from the installed OS. Yet since you mention the option of
>> clean booting for Win 9x/Me, by aid of boot disk made from
>> www.bootdisk.com, then be aware that there exists a free (for private
>> use) bootdisk to NTFS from DOS, with full
>> read-write access, from
>> http://www.datapol-technologies.com/dpe/recovery/ntfs/
>>
>> In your instructions (PDF file), I would recommend that anything you
>> suggest running from safe mode, be run from safe mode WITH COMMAND
>> PROMPT instead. The reason is that many malware load by injecting
>> through Explorer, that loads
>> in safe mode just as well. You have my permission to include the
>> ToggleMode
>> utility in your package, if required. You may need it to start Win
>> 9x/Me in
>> safe mode with command prompt (a mode they lack inherently). From
>> www.invircible.com/item/80
>>
>> Regards, Zvi
>> --
>> NetZ Computing Ltd. ISRAEL www.invircible.com www.ivi.co.il (Hebrew)
>> InVircible Virus Defense Solutions, ResQ and Data Recovery Utilities
>
> Zvi-
> Thank you for posting the link to NTFS read/write for DOS. I had a
> link before but lost it.
> -max

I installed Dave's new utility on my own machine to see how it works,
and it looks good. I think it will be very useful for fairly savvy
computer users who want to clean up their own boxen, and it will save
them from having to go to 4 different places to update. It will also be
a blessing for those people who don't have other computers available
with which to get the updates.

For me, since I'm a tech, I want utilities that don't need to be
installed anywhere, like plain old Sysclean. I keep Sysclean and Sysup
on my own machine along with all my other software tools and then
update the tools I need very frequently depending on my workload. I
then have the updated tools on a thumbdrive and also on a cd-r for
those older machines where I won't even be able to install the
thumbdrive drivers. I also keep my crucial software tools on my private
ftp site if I need to get them when I'm out without my thumbdrive or
kit (yes, occasionally I go somewhere without them!).

My first pass on a machine is by hand to see what's going on. I always
work in Safe Mode with no networking. My second pass is with Sysclean.
Then what I do next depends on the state of the box. But this is just
me. Please, please don't take this as any criticism of Dave's work. I
think what he does in terms of writing these programs and in end user
support (newsgroups, etc.) is truly awesome.

>I personally hold that cleaning under Windows should be conducted from self
>boot, from the installed OS.

This really depends on what you fear most; malicious effects from code
that is designed to be malicious, or side-effects from removing it.

My take is to approach traditional malware formally, and commercial
malware through the infected OS's Safe Mode Cmd Only, as my
expectation of the balance of risk differs with respect to these
categories. Also, right now, there are no scanners for commercial
malware that will run formally, unless already installed informally.

(by "formal", I mean without running any ?infected code first - i.e.
the opposite of what Zvi is advocating - so the malware is inactive)

Rather than guess, though, I'd say it's better to start with a formal
detection-only scan, so that you can read up on what is found, as
there may be caveats that guide the cleaning process.

Depending on the scanner, formal scanning may be less effective in
detecting malware, so I do repeat such scans informally and even
within each user account's normal mode, as I progress into the system,
detecting and cleaning as I go.

The reason is that scanners written to run from the infected OS are
likely to look to the wrong registry, and thus miss infection cues,
when they are run from a host OS - be it a PC into which the HD has
been dropped, or an OS that's booting from a Bart's CDR.

>...there exists a free (for private use) bootdisk to NTFS from DOS, with full
>read-write access, from http://www.datapol-technologies.com/dpe/recovery/ntfs/

Sounds good - OMW to check it out. Thanks, Zvi!

BTW, y'all prolly know about the two DOS TSRs that offer NTFS support,
as availavle from www.systeminternals.com - the free one is read-only
and self-contained, and the fee one shells NT's existing code and can
write as well as read. I've only used the free one, and found it a
bit of a RAM hog; F-prot for DOS manages to run under it, but fails to
recurse the volume's subtrees correctly.

The free NTFS driver doesn't support LFNs either, and because Odi's
LFN Tools can't work through a driver layer, that doesn't work either.
But I discovered that you can combine it with an LFN support TSR, and
thus access and preserve LFNs, as long as you load the LFN TSR before
the NTFS TSR. Counter-intuitive, but required if it's to work :-)

Finally, on this topic, note that one of the two LFN TSRs for DOS has
a serious bug; it fails to increment the 8.3 index number when
creating LFNs that have the same first 6 characters. So instead of
(say) MICROS~1, MICROS~2, MICROS~3, you get non-unique MICROS~1,
MICROS~1, MICROS~1. I've contacted the author on this, and it's going
to stay that way as he's abandoned the project.

I can't remember the details and URLs, but they're in here:

http://cquirke.mvps.org/whatmos.htm

>In your instructions (PDF file), I would recommend that anything you suggest
>running from safe mode, be run from safe mode WITH COMMAND PROMPT instead.
>The reason is that many malware load by injecting through Explorer, that loads
>in safe mode just as well.

Safe Mode isn't, and unfortunately, not only because of shell
integration into Explorer (CLSIDs, BHOs etc.) and process injection,
but also because by design, it's possible for some registry Runxx to
be active in Safe Mode, as are drivers, screensaver, and malware
integration via file associations.

Both Windows Explorer and Cmd.exe have their own exploitable risk
surfaces, but of the two, Cmd.exe is safer and more manageable (e.g.
if you always use full file spec and extension, you'd generally be OK)

>You have my permission to include the ToggleMode utility in your
>package, if required. You may need it to start Win 9x/Me in
>safe mode with command prompt (a mode they lack inherently). From
>www.invircible.com/item/80

That's a good point; else you'd have to first boot DOS mode and edit
System.ini shell=command.com to create a true Safe Mode Command Only,
i.e. a Win32 environment that can run Win32 apps, as DOS mode can't.